Returning To The Office? Schwab Offers A 5-Step Cyber Prep List

Covid has forced many advisors and reps to work from home over the past year. With little time for planning or preparation, firms and financial professionals did the best they could, cobbling together plans and systems in order to continue doing business in an interrupted fashion.

But turning on a dime to continue operations 19 months ago may have left gaps in many firms’ technology and cybersecurity policies and safeguards just as financial cyber attacks have become more of a threat than ever—rising 41% in the first half of the year, according to LexisNexis Risk Solutions.

“As many of us are returning to the office, now is a good time to take stock of your cyber hygiene,” Charles Schwab Corp. said in a new prep list. The list is designed for financial professionals who want to make sure they fill in those cybersecurity gaps with plans that will stand up to regulatory scrutiny.

What is clear is that the transition back to the office after 19 months at home requires more than just turning off your laptop and bringing it to work with you.
There are five main cybersecurity and operational issues to consider when transitioning your team back into the office, Schwab said.

Whether you are transitioning back to a full-time in office work schedule or a more hybrid schedule, at the top of your list should be communicating your expectations and policies regarding cybersecurity so that employees and independent advisors know what your firm expects, Schwab said.

“For many firms, hybrid models where employees split time between working remotely and in person will be a part of the future. Switching back and forth between workstation setups can create the temptation to file-share and email using personal accounts or save documents to removable media. This can introduce a great deal of risk, and it may be beneficial to err on the side of caution and ban these practices,” Schwab said.

Decide what, if any, type switching and file-sharing will be permissible and clearly communicate your policies up front, to avoid confusion and missteps, the report said.

It is also a time to look for vulnerabilities. While the hybrid environment worked well for many firms and advisors—some of whom said they didn’t miss a beat in terms of servicing clients—it is rife for an increase in cybercrime, Schwab said.

For instance, the Securities and Exchange Commission said examiners are finding “an increase in the number of cyber-attacks against SEC-registered investment advisers and brokers and dealers using credential stuffing to access client accounts using compromised client login credentials, resulting in the possible loss of customer assets and unauthorized disclosure of sensitive personal information."

The failure to proactively mitigate the risks of credential stuffing proactively “significantly increases various risks for firms, including but not limited to financial, regulatory, legal, and reputational risks, as well as, importantly, risks to investors,” the agency said.

Another scam—altering the destination details of an asset transfer requested via email—also seems to be on the rise, according to Patrick Hennessey, Schwab’s director of technology consulting. This can occur when one party's email account has been compromised and can result in cyber theft.

Hennessey said that now more than ever "cybercriminals are looking to exploit the changing environment." He recommends that advisors verify not only the authenticity of such requests, but also destination details laid out in emails.

Clients should also be instructed to review wire instructions or other disbursement details to make sure that requests reflect the desired instructions and that funds will reach the intended destination, Hennessey said.

You should also consider updating your devices, especially if equipment has been left in the office for the past 19 months of pandemic shut down, unused. Such “devices may not have been scanned, updated, or patched. Make sure that the latest security updates have been applied to the operating system and all applications,” Schwab said.

Scanning equipment for added software is another frontline defense against cybercrime. “If your devices are not locked down to prevent users from installing new programs, they may now contain unauthorized applications and software,” Schwab said.

A planned office reopening is a key time to ensure equipment is scanned for rogue apps and that all such software is removed before allowing users to connect to your business network, Schwab said.

“Once all of your devices are clean, take steps to prevent this from happening again. Reserve the right to install new software for the appropriate administrators at your firm,” Schwab said.

With a return to the office looming, it may also be a good time to strategically strategically take formal inventory of all the computer equipment and accessory purchases your firm needed to make when the pandemic hit.

“We know that many advisors needed to purchase additional hardware to facilitate new work-from-home setups. Add those new laptops, webcams, and mobile devices to your hardware inventory,” Schwab said.

If your firm added any new third-party vendors or cloud-based platforms, it’s important to add them to your firm’s inventory as well.

“This time around, we have room to be a bit more deliberate and thoughtful in our transition—but there is still much to consider to ensure the resilience of your firm and the well-being of your people. Incorporate these practices into your return-to-office plan to lighten the load as it relates to cybersecurity,” Schwab said.